Automatic Isolation and Detection of Outbound Spam

ABSTRACT

Embodiments provide IP address partitioning features that can be used to source outbound email communications, but the embodiments are not so limited. In an embodiment, a computer-based method operates to identify and/or isolate one or more customers that may be misusing one or more IP addresses of a partition. A system of an embodiment is configured in part to divide a partition that includes one or more potentially misused IP addresses into one or more levels of sub-partitions as part of identifying offending or potentially offending customers. Other embodiments are included.

BACKGROUND

When dealing with multiple customers sharing the same outbound InternetProtocol (IP) space if one of the customers is compromised and startssending spam it can result in all customers who share the IP space beingblocked. Once an IP address is flagged as abusive, it may take days orweeks to repair, during which time email from the IP address may beblocked or throttled. Depending on the time to resolution, customerbusiness could encounter a serious setback.

SUMMARY

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended asan aid in determining the scope of the claimed subject matter.

Embodiments provide IP address partitioning features that can be used tosource outbound email communications, but the embodiments are not solimited. In an embodiment, a computer-based method operates to identifyand/or isolate one or more customers that may be misusing one or more IPaddresses of a partition. A system of an embodiment is configured inpart to divide a partition that includes one or more potentially misusedIP addresses into one or more levels of sub-partitions as part ofidentifying offending or potentially offending customers. Otherembodiments are included.

These and other features and advantages will be apparent from a readingof the following detailed description and a review of the associateddrawings. It is to be understood that both the foregoing generaldescription and the following detailed description are explanatory onlyand are not restrictive of the invention as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an exemplary computing or communicationarchitecture.

FIG. 2 is a flow diagram depicting an exemplary process of identifyingand/or removing potentially misused IP addresses from a partition of adatacenter.

FIG. 3 depicts an example of accounting for a volumetric shortfall uponremoving a bad IP address from a partition of a datacenter.

FIG. 4 is a flow diagram depicting an exemplary process of repairing abad or misused IP address.

FIG. 5 is a flow diagram depicting an exemplary process of identifyingand/or isolating potentially offending customers that may be misusingone or more IP addresses.

FIG. 6 depicts an example of dividing a partition serving customers intomultiple levels of sub-partitions.

FIG. 7 is a block diagram illustrating an exemplary computingenvironment for implementation of various embodiments.

FIG. 8 illustrates one embodiment of the architecture of a systemimplementing partitioning features to source outbound emails.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of an exemplary computing or communicationarchitecture 100 used in part to provide electronic email features, butis not so limited. As shown in FIG. 1, the exemplary architecture 100includes at least one server computer 102. While one server is shown, itwill be appreciated that complex communication architectures typicallyemploy multiple server computers, networking components, and otherhardware and software components. Components of the exemplaryarchitecture 100 can communicate and interact by way of wired and/orwireless networks.

As described below, components of the exemplary architecture 100 operatein part to mitigate the impact on customer outbound email communications(referred to as outbound email) in a service where multiple customersshare an IP space. For example, an email hosting service can use IPreputation and/or volume information to identify and isolate potentiallyabusive email practices, wherein the IP reputation and/or volumeinformation can be used to remove compromised IP addresses and/or moveIP addresses between partitions of a datacenter or datacenters in anintelligent fashion to ensure that email flow continues. As describedbelow, components of the exemplary architecture 100 of an embodiment areconfigured to detect or identify when an IP address of an originalpartition is blocked, remove or move the blocked IP address from theoriginal partition, and/or source reputable or good IP addresses fromother partitions to compensate for volumetric deficiencies resultingfrom the removal of an IP address.

Further action can be taken to recycle a potentially misused IP addressor mark a potentially misused IP address as a bad IP address. Forexample, a potentially misused IP address can be isolated using adedicated recycling partition and repair measures applied to clear orrecycle the potentially misused IP address. In one embodiment, a repairprocess first ensures that a potentially misused IP address has beenremoved from a blacklist or other blocking list (e.g., by manual and/orautomatic inspection) before using the previously blocked and now reusedIP address as part of the original or new sourcing partition to sourceoutbound email at a lower volume as compared to other IP addresses ofthe original or new sourcing partition. The volume of outbound emailsourced using a reused IP address can be slowly increased over time toregain a volume reputation as well as reducing or preventing furtherblocking as a result of a surge in volume.

Components of the exemplary architecture 100 can also be configured tomitigate potentially abusive email practices by identifying and/orisolating potentially offending customers while allowing non-offendingcustomers who share a partition to continue sending email with little orno disruption. In an embodiment, a process can be used with thecomponents to isolate potentially offending customers using multiplepartitions of IP addresses, wherein each partition is used to servegroups of customers who each share a subset of the IP addresses.

The process of one embodiment operates when an entire partition isblocked or multiple IP addresses of a partition are blocked due to acustomer sending spam or some other abusive email practice, wherein theprocess operates to split or divide the partition into a number of newsub-partitions with each new sub-partition being assigned a newunblocked IP address. The process is configured to drill down into thepartitioned customer base to locate a potentially offending customerwhile allowing customers to start sending email again using new IPaddresses. If the customer who was sending spam continues, it willresult in the new IP address (and sub-partition) being blocked, whereinthe process will then split the customers associated with the blockedsub-partition into a number of new sub-partitions while recombiningnon-offending customers using the original or a new partition withmultiple new IP addresses. The process repeats until there are noblocked sub-partitions or each blocked sub-partition includes a singlecustomer isolated from other non-offending customers.

The description of FIG. 1 encompasses, but is not limited to, serviceprovider networks wherein a service provider or host utilizes multipleIP addresses as part of providing outgoing electronic mail (email)services to a plurality of customers. The server 102 of an embodimentincludes an infrastructure distribution (IFD) component 104 configuredto manage application and use of various IP addresses using a number ofsourcing partitions or pools and/or rules in part to host outboundemails for the various customers. For example, the IFD component 104 canbe used to define rules that identify which particular IP addresses areto be used to source outbound emails, wherein each partition is used todefine the one or more IP addresses to use when sourcing.

The IFD component 104 of an embodiment is installed as role on server102 and configured to automatically remove blocked, damaged, and/orotherwise unhealthy reputation IP addresses from active service. The IFDcomponent 104 is also configured to rebuild volume reputations orsending histories for previously removed IP addresses in part bydefining rules that control the volume of allowed outbound email. Asdescribed below, the IFD component 104 can operate to remove potentiallymisused IP addresses as well as using IP address resources from otherpartitions to compensate for removal of a potentially misused IPaddress. A potentially misused IP address of one embodiment can bedefined as an IP address that has been blocked, blacklisted, orotherwise compromised and has not been repaired or reapplied.

IP addresses assigned to each partition may be transferred betweenpartitions as needed to replace IP addresses marked as bad orpotentially misused in order to maintain the volume of emails for the IPaddresses in a partition at the same or about the same relative level. Apotentially misused IP address may result from an inadvertent customeraction such as sending to an improper IP address for example. It is alsopossible for multiple IP addresses of a partition or an entire partitionof IP addresses to be blocked and the IFD component 104 can be used toisolate an offending customer as well as enabling other non-offendingcustomers to continue to send email.

As described below, the IFD component 104 can operate in part to isolateone or more customers whose email practices may be misusing an IPaddress while minimizing impact or interruption of other customeroutbound emails that may sharing a misused IP address. The IFD component104 of an embodiment includes complex programming code configured to usepartitioning logic and a plurality of partitions or pools of IPaddresses to source outbound emails for one or more customers associatedwith each partition. For example, an email hosting service can usepartitioning logic with 200 IP addresses to support the sourcing ofoutbound emails for 100 customers using 20 partitions with 5 differentIP addresses for each partition.

The IFD component 104 of an embodiment is configured to identify andisolate offending or potentially offending customers as well as removingand/or repairing IP addresses that have been identified as being misusedor potentially misused. The repairing or healing of a removed IP addressrequires that the removed IP address is not blocked, blacklisted, orotherwise compromised and/or does not have a desired volume reputation.For example, an IP address that has been cleared from being blacklistedwill most likely need to rebuild a desired volume reputation associatedwith the amount of emails sent daily as compared with other customerssharing the IP addresses of the partition.

The IFD component 104 can generate rules that allow for a controlledrepair process of a misused IP address by slowly or moderatelyincreasing outbound email volume until reaching a desired or definedvolume level or load. For example, on day one, an IP address underrepair may only source 1% of the total email volume for a partition,while the other IP addresses take 10% each. After a certain amount oftime, the rules can be used to control further increasing of emailvolume for the IP address under repair until reaching an equal orsubstantially equal percentage of volume as the other IP addresses inthe partition.

As shown in FIG. 1, the IFD component 104 uses reputation information106 to monitor partitions of IP addresses used to source outboundemails. For example, reputation information 106 can be provided by ablacklist or blocking monitoring service as well as in-house IPreputation monitors to identify IP addresses used to promote potentiallyabusive email practices that may adversely affect reputation. IPreputation of an embodiment is a measure that indicates how trustworthythird parties or other entities view an IP address. For example, ablacklisting or IP monitoring service can review emails and/or volume ofemails being sent to provide an IP reputation measure that can be usedin identifying blocked IP addresses and/or partitions.

An IP reputation measure of one embodiment can be used to define goodand/or bad IP addresses. A good IP address of an embodiment is definedas an IP address that is not currently blocked or blacklisted and has ahistory of sending some defined volume or amount of email. A bad IPaddress of an embodiment pertains to an IP address that is blocked orthrottled from sending all of its email. The IFD component 104 can usethe reputation information 106 in part to define rules that separateemail of different groups of customers into different partitions orpools of outbound IP addresses to reduce the impact on a number ofcustomers being blocked or affected.

As shown for the example of FIG. 1, the architecture 100 includes aplurality of logical partitions (collectively referred to as 110) thatare used as part of sourcing outbound emails for a plurality ofcustomers. According to an embodiment, the recycle and repair partition112 is used as part of isolating and repairing removed IP addresses,such as IP addresses that have been previously blocked or blacklisted,so that once repaired, a previously removed IP address can be reinsertedinto an original partition or a new partition. For example, a recycledIP address can be moved from the recycle and repair partition 112 to apartition to supplement the removal of a bad IP address. The recycle andrepair partition 112 of one embodiment can also be used to build thevolume reputation of removed or other types of IP addresses.

The IFD component 104 can use the partitions 110 to source different IPaddresses for different customers, wherein the customers may be groupedtogether and assigned to one or more partitions based on any number offactors (e.g., number of employees, non-competing companies, similaroutbound email volumes, reputations, etc.). For example, partition 114may be used to source 5 different IP addresses for a first group ofassociated customers, whereas partition 116 may be used to source 10different IP addresses for a second group of associated customers. Itwill be appreciated that various implementations may use differentnumbers of IP addresses to use with each partition as well asidentifying a number of customers to source using the partition.

As described briefly above, the IFD component 104 can be configuredprogrammatically to use the reputation information 106 to generate rulesthat define which partitions are to be used to source which customercommunications and/or an amount of outbound email volume allowed oversome period of time. As shown for the example of FIG. 1, the IFDcomponent 104 of an embodiment is configured to forward rules to apartition distribution component 108, such as a network load balancingdevice for example. The partition distribution component 108 of oneembodiment allows custom delivery and IP transformation rules to becreated and applied according to the rule inputs provided by the IFDcomponent 104.

The IFD component 104 of one embodiment can use an applicationprogramming interface (API) (e.g., “IControl” API) to convey rules thatenable the partition distribution component 108 to create partitionswith defined IP addresses and/or customers to serve, remove one or moreIP addresses from a partition, and/or move IP addresses betweenpartitions as part of managing a volume of email handled by each IPaddress of a partition. The IFD component 104 can communicate with adatabase server 122 that includes a rule database including an IP listtable or other data structure to store data for rules used by thepartition distribution component 108 and/or outbound mail server 118.

As described briefly above, the rules can be used in part to definepools or partitions 110 of IP addresses used to source outbound emailsof one or more customers associated with each of the partitions 110. Forexample, the rules can define a virtual forwarding IP (VIP) address of atarget for an “Irule” that sets the source address on communicationsleaving a networked datacenter, wherein each VIP address targets apartition that includes a plurality of assigned IP addresses. An Irulecan be described as a script written to specify individual connectionsto target a pool other than a default pool defined for a virtual serverwhich allows for the specifying of destinations for traffic to bedirected.

In one embodiment, the IFD component 104 generates a rule for thepartition distribution component 108 to remove a bad IP from a partitionand move the bad IP to the recycle and recovery partition 112 when thebad IP or the associated partition is blocked from sending email whichallows customers associated with the partition to continue to send emailwith minimal disruption regardless of the reason for blocking. In oneembodiment, the server 102 includes an IP address monitoring componentthat operates to provide reputation information 106 including good IP,bad IP, and/or other reputation or volume information.

The IFD component 104 is configured in part to account for volumetricchanges in amounts of outbound email apportioned to remaining IPaddresses of an affected partition by sourcing good or reputable IPaddresses from other partitions to alleviate impact on associatedcustomers when a previously used IP address is no longer available foroutbound emails. The IFD component 104 can generate rules to ensure thatno more than a certain percentage or volume of customer outbound emailis impacted at the same time or some other time, wherein the percentageor volume of customer outbound email of one embodiment can be madedependent on the number of available IP addresses in the currentpartition or another sourcing partition. As an example, once an IPaddress or a partition becomes blocked, the IFD component 104 generatesa rule such that the partition distribution component 108 removes thebad IP and/or moves one or more good or reputable IP addresses to reducethe blocking of non-offending customer email.

As described above, the reputation information 106 can be used toidentify when one IP address, multiple IP addresses, or an entirepartition of IP addresses is blocked. When multiple IP addresses or anentire partition is blocked, the IFD component 104 can generate rulesfor the partition distribution component 108 to split the customers ofan affected partition into a number of sub-partitions (see the exampleof FIG. 6) sourcing good IP addresses of other partitions. If a new IPaddress of a sub-partition is blocked, the IFD component 104 identifiesthat an offending customer is in that sub-partition. The othersub-partitions that are not blocked can be recombined back into theoriginal partition or a new partition along with new assigned IPaddresses. The rules can also instruct the partition distributioncomponent 108 to split the customers of the blocked sub-partition intonew sub-partitions and repeat the process until isolating a singlecustomer per partition to identify one or more offending customers.

The outbound mail server 118 of an embodiment includes an outboundrouting agent 120 that operates to rout agent outbound email to multipletargets based on rules read from the rule database 122. If there are norules in the rule database 122, the outbound mail server 118 will routeemail using a default partition (e.g., port 25). The outbound routingagent 120 of an embodiment controls an outbound IP address by changingan outbound port used on the outbound connections or couplings. Thepartition distribution component 108 can also use rules of the ruledatabase 122 to modify a connection or coupling and change an outboundIP address seen by the recipient email server 124 coupled through one ormore networks to match a desired IP address included in a partition.

The rule database 122 of an embodiment stores outbound routing rulesthat use email header information as part of applying the outboundrouting rules. Example criteria that the outbound routing rules can usefor matching a desired IP address include: sending Customer company ID;if the message has been marked as spam; if the message has been markedas bulk; and/or if the message is from a trial customer.

Outbound routing rules of one embodiment use the following parameters:

RuleID: (Unique RuleID, added to header of email if rule matched);

RuleCaptureValue: A regular expression with a capture to get a targetvalue to compare. Example: “X-SpamScore: ([0-9]+)”;

RuleValue: The value to which the rule compares;

RuleOperator: Example values “=,<=,>=,regex, Hash<=,Hash>=”;

SubRule: If there is a subrule that also needs to match it is appliedhere. −1 indicates there is no sub rule;

RulePriority: The priority level of the rule. Used to determine in whichorder the rules are applied, from lowest value to highest. The systemstops once a rule that applies is hit; and/or

TargetPartition: The partition to use if the rule matches.

As an implementation example, a format for a target partition can beconfigured as “(Name): Port” example: Outbound: 550 or Spam: 55. The IFDcomponent 104 can also use a number of alerts upon encountering an issuewhile operating. For example, the IFD component 104 can provide an alertwhen: unable to connect to a reputation component get IP reputationinformation; unable to access the partition distribution component 108;an error is encountered on the partition distribution component 108;upon reaching a threshold of bad IP addresses for a datacenter; and/orunable to access the database server 122 or upon a failure to access anIP List database.

The IFD component 104 of one embodiment operates as a control programand makes a call to check whether there are any bad IP addresses of anyassociated datacenters. For example, a host may implement 10datacenters, wherein each datacenter may use 200 IP addresses to sourceoutbound emails, resulting in managing of 2,000 IP addresses across alldatacenters, wherein the IFD component 104 can be configured to manageone or multiple datacenters. The IFD component 104 can use a number ofperformance counters to count the number of IP addresses evaluated in alast run and/or the number of bad IP addresses removed in the last run.The IFD component 104 can also track the number of IP addresses moved inthe last run and/or the number of IP addresses repaired in the last run.The architecture 100 is scalable and can include multiples of datacenters and IP addresses associated with each data center.

The IFD component 104 of one embodiment uses a configuration file thatcontains multiple configuration values to manage partitions 110. Theconfiguration file of one embodiment includes: 1) a fully qualifieddomain name (FQDN) of one distribution serve (here may be multipleentries, one for each data center floating IP address); 2) a maximumnumber of bad IP addresses associated with the maximum number of bad IPaddresses identified in each data center; 3) the IP reputation datasource that contains the address from which the IFD component 104obtains IP reputation information 106; and/or 4) a maximum repair growthrate that controls the maximum percentage to increase load on eachpartition or IP address each day or at some other interval.

In an embodiment, the IFD component 104 is accessed as a command lineutility run with different parameters to perform different functions.The IFD component 104 of one embodiment is configured to call a monitorparameter as a scheduled task to receive the reputation information 106and check if any IP addresses of one or more datacenters have beenmarked as bad or misused and/or if any action is required by thepartition distribution component 108. In an embodiment, the IFDcomponent 104 uses the monitor parameter to perform the followingsteps: 1) download current (e.g., yesterday, last 3 days, etc.) IPreputation data from one or more IP reputation data sources; 2) querythe partition distribution component 108 in the configuration file forthe current status of which IP addresses are located in each partitionand/or datacenter and/or IP connection statistics; 3) move any IPaddresses marked as bad out of the associated partition; and/or 4) moveone or more good IP addresses from one or more other partitions torebalance the load as needed.

The IFD component 104 can also be configured to call (e.g., daily, every2 days, etc.) a repair parameter to repair IP address reputations byincreasing an amount of volume percentage of allowed outbound emails fora defined time or period. In an embodiment, the IFD component 104 usesthe repair parameter to perform the following steps: 1) query thepartition distribution component 108 (may be multiple such components)for current IP addresses of all active partitions along with theirvolume load percentage and IP volume statistics; 2) if the volume loadpercentage of any IP addresses of a partition are less than the volumeload percentage of other IP addresses of the partition, then check tosee if a lean IP address is eligible/allowed to have the volume ofoutbound email increased based on the volume history of the lean IPaddress provided by the partition distribution component 108 whilecomparing the volume histories of the IP addresses of the partition;and/or 3) repeat until the lean IP has the same or similar load orvolume percentage as the other IP addresses of the partition;.

The IFD component 104 can use various commands (e.g., cmdlets) to createoutbound rules for insertion into the database server 122 and/ormove/update the settings of IP addresses for each partition. For examplecmdlets can be configured as:

Cmdlet add-poolmember

This command adds an IP address to a Pool

Syntax: add-poolmember 1.2.3.4 PoolNameHere1

Example: add-poolmember add 1.2.3.4 OutboundSnatPool1

cmdlet remove-poolmember

Syntax: remove-poolmember 1.2.3.4 PoolNameHere1

Example: remove-poolmember 1.2.3.4 OutboundSnatPool1

Cmdlet get-poolmember

This parameter gives a dump of the current settings on partitions:

Syntax: get-poolmember list (OptionalDCName)

Example: get-poolmember ipcontrol comp4.

The client devices/systems described herein can be configured with atleast one processor, system memory, and networking components. Systemmemory can include volatile (e.g. random access memory (RAM)),non-volatile (e.g. read-only memory (ROM)), flash memory, etc. It willbe appreciated that embodiments described herein may also be practicedin conjunction with other operating systems, device/system types, and/orother application programs. As will be appreciated, the clientdevice/systems use the networking functionality to communicate andutilize functionality of remote systems, such as various servers and/orremote storage farms or locations.

Various embodiments can be used with a number of computerconfigurations, including hand-held devices, multiprocessor systems,microprocessor-based or programmable consumer electronics,minicomputers, mainframe computers, etc. Various embodiments can beimplemented in distributed computing environments using remoteprocessing devices/systems that communicate over a one or morecommunications networks. In a distributed computing environment, programmodules or code may be located in both local and remote memory. Variousembodiments can implement system-on-a-chip (SOC) features that mayinclude one or more processors, graphics components, communicationcomponents, etc. For example, a SOC can include a central processingunit, a graphics processor, memory, USB controller, power managementcircuits, wireless radio(s) (WiFi, cellular, etc.), and/or othercomponents. Various embodiments may be implemented as a process ormethod, a system, a device, or computer readable storage for example.

FIG. 2 is a flow diagram depicting an exemplary process 200 ofidentifying and/or removing bad and potentially misused IP addressesfrom a partition of a datacenter according to an embodiment. The process200 at 202 begins by receiving and/or using reputation informationassociated with multiple IP addresses of one or more partitions of thedatacenter. As described above, logical partitions of different IPaddresses can be used to source outbound emails for customers that areassociated with the datacenter. As an example, the process 200 at 202can request IP reputation information to identify bad or misused IPaddresses associated with one or more datacenter partitions and/or oneor more customers.

If there is a bad or misused IP address at 204, the process 200 operatesto check whether a certain number or percentage of IP addresses havebeen removed from the partition. If a certain number or percentage of IPaddresses have been removed at 204, the process 200 proceeds to 206 andoperates to provide an alert regarding the partition and/or IP addressstatus. For example, if more than half or some other amount of thenumber of IP addresses have already been removed from a partition withina defined amount of time, the process 200 at 206 can operate to providean alert to notify a responsible party or individual (e.g., an email,text, call, etc.), generate a support ticket, and/or trigger a workflowin attempting to correct the cause of the alert.

If a certain number or percentage of IP addresses have not been removedat 204, the process 200 continues to 208 and removes the bad or misusedIP address from the partition. For example, the process 200 continues to208 and removes the bad or misused IP address from the partition andmoves it to a repair and recovery partition or other location to allowfor future repair and reuse. If removal of the bad or misused IP addressdoes not cause the remaining IP addresses to absorb more than a definedload or percentage of volume increase at 210, the process 200 proceedsto 212 and continues monitoring the partitions since the remaining IPaddresses of the partition are able to absorb the additional load.

If, however, removal of the bad IP does cause the remaining IP addressesto absorb more than a defined percentage or volume increase at 210, theprocess 200 continues to 214 and moves or sources good or reputable IPaddresses from one or more different partitions that have similar loadsor volumes as compared to the removed IP address as part of accountingfor the volumetric shortfall or additional load before returning to 212.For example, if the removed IP address was sending 500 emails a day, twoIP addresses who are sending about 250 emails per day can be moved tocompensate for the additional 500 email load. While a certain number andorder of operations is described for the exemplary flow of FIG. 2, itwill be appreciated that other numbers and/or orders can be usedaccording to desired implementations.

FIG. 3 depicts an example of using the process 200 as part of accountingfor a volumetric shortfall upon removing a bad IP address from apartition of a datacenter. As shown in FIG. 3, an IP address 302 and anIP address 304 have been removed from a first partition 300 after beingidentified as a bad or potentially misused IP addresses. For thisexample, removal of the IP addresses 302 and 304 have resulted in avolumetric shortfall as the remaining IP addresses have to account fortoo much load. IP address 306 has been moved from partition 308 and IPaddress 310 has been moved from partition 312 to account for theadditional load due to their similar volume reputations and histories.As described above, IP addresses 302 and 304 may be recycled and reusedagain to source outbound email communications.

FIG. 4 is a flow diagram depicting an exemplary process 400 of repairinga bad or misused IP address according to an embodiment. At 402, theprocess 400 operates to check the status the IP address to determinecurrent blocked or blacklisted status of one or more IP addresses to berecycled. If the IP address is still blocked at 404, the process 400operates to keep the bad or misused IP address in a recycle partition at406 and loop back to 402. If the IP address is no longer blocked at 404,the process 400 operates at 408 to reuse the previously marked bad ormisused IP address with a new partition and start allowing sending of apreliminary volume of outbound email.

After a defined or configurable amount of time, the process 400 at 410rechecks the IP address being recycled to determine if it has beenblocked or otherwise compromised again. If the IP address being recycledis blocked or otherwise compromised at 410, the process 400 operates at412 to mark the previously marked bad IP address as bad and move the badIP to the recycle partition. If the previously marked bad IP address isnot blocked or otherwise compromised at 410, the process 400 at 414operates to continue increasing the email volume or load whilecontinuing to check reputation and/or status over timed intervals untilan outbound email volume is at a similar level or load as other IPaddresses in the new partition before returning to 402. Recycled IPaddresses provided by the process 400 can be reintroduced into adatacenter partition to begin sourcing outbound emails.

As an implementation example, the process 400 can operate to control avolumetric email increase for a candidate IP address that has sent anaverage of 100 emails per day with a 1% load on an associated partition.The other IP addresses in the partition have sent an average of 1000emails per day and have a 10% load each. As such, each IP has an averageload that matches a volume setting. The process 400 can increase theload on the candidate IP address incrementally such as from 1% load to1.3% and so on for this example. Being able to recycle and repair IPaddresses allows for an efficient IP address reuse. While a certainnumber and order of operations is described for the exemplary flow ofFIG. 4, it will be appreciated that other numbers and/or orders can beused according to desired implementations.

FIG. 5 is a flow diagram depicting an exemplary process 500 ofidentifying and/or isolating potentially offending customers that may bemisusing one or more IP addresses associated with a partition ofmultiple IP addresses according to an embodiment. As an implementationexample, the process 500 can be implemented in part using complexprogramming code and one or more server computers as part of an emailhosting infrastructure that employs multiple partitions of IP addresses,wherein each partition can include multiple IP addresses to hostoutbound emails for multiple customers.

In one embodiment, the process 500 is activated when more than one IPaddress of a partition is blocked or otherwise identified as bad orpotentially misused. The process 500 is configured to expeditiouslyisolate one or more customers who may be sending spam or other unwantedemail communications. At 502, the process 500 of an embodiment operatesto process and use information regarding the blocking of a partition dueto the misuse or compromise of more than one IP address of the partitionused to source outbound emails. For example, the process 500 at 502 canuse an in-house IP reputation system and/or one or more third partysystems to gather IP reputation information including blocked status,blacklisted status, lean volume status, etc.

At 504, the process 500 operates to split or divide a blocked partitioninto a plurality of sub-partitions and/or assign a new IP address and/orone or more customers associated with the original partition to eachsub-partition of the plurality of sub-partitions. The process 500 canuse random and/or definite assignments according to each particularimplementation. For example, the process 500 at 504 can operate to splita partition servicing 100 customers into 10 sub-partitions (see FIG. 6for example), wherein 10 customers and new (or recycled) IP addressesare assigned to each of the 10 sub-partitions. As such, eachsub-partition uses one newly assigned IP address to continue serving oneor more customers of the blocked partition.

At 506, the process 500 operates to monitor each new IP address of thesub-partitions for a defined amount of time (e.g., a defined number ofhours) to identify and/or isolate any potentially offending customers.At 508, if none of the new IP addresses are blocked or otherwiseidentified as bad or potentially misused after the defined amount oftime to monitor has passed, the process 500 proceeds to 510 and combinesthe unblocked sub-partitions back together into the original partitionor a new partition while assigning new and/or recycled IP addresses tosource emails for the re-combined customers of the unblockedsub-partitions before returning to 502.

If an IP address of one or more of the sub-partitions has been blockedor otherwise identified as bad or potentially misused at 508 and thereis more than one customer associated with the one or more marked as badsub-partitions at 512, the process 500 operates at 510 to combine theunblocked sub-partitions back together into the original partition or anew partition while assigning new or recycled IP addresses to sourceemails before returning to 504 and splitting or dividing the blocked orotherwise identified as bad or potentially misused sub-partitions into anumber of additional sub-partitions. In an embodiment, the operation ofcombining at 510 follows the splitting of any blocked sub-partition intoa number of additional sub-partitions.

The recombining of the unblocked sub-partitions enables reputablecustomers to operate again normally. Continuing the example above,suppose that two of the sub-partitions including 10 customers each weresubsequently blocked, the process 500 at 504 can operate to split eachaffected sub-partition into 10 new sub-partitions that includes onecustomer per partition thereby expeditiously identifying any offendingcustomer. With continuing reference to FIG. 5, if an IP address of oneor more of the sub-partitions has been blocked or otherwise identifiedas bad or potentially misused at 508 but the associated sub-partitiononly includes one customer at 512, the process 500 returns to 502 as theproblem has been mitigated by identifying and isolating any offendingcustomers. Once one or more customers have been identified as offending,further action can be taken in attempts to enable the customer torebuild its email reputation. While a certain number and order ofoperations is described for the exemplary flow of FIG. 5, it will beappreciated that other numbers and/or orders can be used according todesired implementations.

FIG. 6 depicts an example of dividing a partition 600 serving 100customers into multiple levels of sub-partitions using the process 500as part of identifying a datacenter customer having email practices thathave resulted in multiple IP addresses being blocked. As shown in FIG.6, the partition 600 has been divided into 5 first level sub-partitions602-610, wherein a new IP address is assigned to each of thesub-partitions as described above. Customers 1-20 have been assigned tosub-partition 602, customers 21-40 have been assigned to sub-partition604, customers 41-60 have been assigned to sub-partition 606, customers61-80 have been assigned to sub-partition 608, and customers 81-100 havebeen assigned to sub-partition 610. As described above, thesub-partitions 602, 604, 608, and 610 can be re-combined into theoriginal partition or a new partition.

After being blocked or marked as bad, sub-partition 606 has been dividedinto 4 second level sub-partitions, wherein a new IP address is assignedto each sub-partition. Since sub-partition 606 has been blocked, process500 divides sub-partition 606 such that customers 41-45 have beenassigned to sub-partition 612, customers 46-50 have been assigned tosub-partition 614, customers 51-55 have been assigned to sub-partition616, and customers 56-60 have been assigned to sub-partition 618.

After being blocked or marked as bad, the process 500 has operated todivide sub-partition 614 into 5 third level sub-partitions, onesub-partition for each customer, wherein a new IP address is assigned toeach sub-partition. For this example, third level sub-partition 620 hasbeen blocked and customer 48 has been identified as the spamming oroffending customer. For this example, the amount of dividing differsfrom level to level but may also be the same amount of dividing at eachlevel depending in part on the number of customers and/or IP addresses.

It will be appreciated that various features described herein can beimplemented as part of a processor-driven computer environment includinghardware and software components. Also, while certain embodiments andexamples are described above for illustrative purposes, otherembodiments are included and available, and the described embodimentsshould not be used to limit the claims. Suitable programming meansinclude any means for directing a computer system or device to executesteps of a process or method, including for example, systems comprisedof processing units and arithmetic-logic circuits coupled to computermemory, which systems have the capability of storing in computer memory,which computer memory includes electronic circuits configured to storedata and program instructions or code.

An exemplary computer program product is useable with any suitable dataprocessing system. While a certain number and types of components aredescribed above, it will be appreciated that other numbers and/or typesand/or configurations can be included according to various embodiments.Accordingly, component functionality can be further divided and/orcombined with other component functionalities according to desiredimplementations. The term computer readable media as used herein caninclude computer storage media or computer storage. The computer storageof an embodiment stores program code or instructions that operate toperform some function. Computer storage media can include volatile andnonvolatile, removable and non-removable media implemented in any methodor technology for storage of information, such as computer readableinstructions, data structures, program modules, etc.

System memory, removable storage, and non-removable storage are allcomputer storage media examples (i.e., memory storage.). Computerstorage media may include, but is not limited to, RAM, ROM, electricallyerasable read-only memory (EEPROM), flash memory or other memorytechnology, CD-ROM, digital versatile disks (DVD) or other opticalstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, or any other medium which can be used tostore information and which can be accessed by a computing device. Anysuch computer storage media may be part of a device or system. By way ofexample, and not limitation, communication media may include wired mediasuch as a wired network or direct-wired connection, and wireless mediasuch as acoustic, RF, infrared, and other wireless media.

The embodiments and examples described herein are not intended to belimiting and other embodiments are available. Moreover, the componentsdescribed above can be implemented as part of networked, distributed,and/or other computer-implemented environment. The components cancommunicate via a wired, wireless, and/or a combination of communicationnetworks. Network components and/or couplings between components of caninclude any of a type, number, and/or combination of networks and thecorresponding network components which include, but are not limited to,wide area networks (WANs), local area networks (LANs), metropolitan areanetworks (MANs), proprietary networks, backend networks, cellularnetworks, etc.

Client computing devices/systems and servers can be any type and/orcombination of processor-based devices or systems. Additionally, serverfunctionality can include many components and include other servers.Components of the computing environments described in the singular tensemay include multiple instances of such components. While certainembodiments include software implementations, they are not so limitedand encompass hardware, or mixed hardware/software solutions.

Terms used in the description, such as component, module, system,device, cloud, network, and other terminology, generally describe acomputer-related operational environment that includes hardware,software, firmware and/or other items. A component can use processesusing a processor, executable, and/or other code. Exemplary componentsinclude an application, a server running on the application, and/or anelectronic communication client coupled to a server for receivingcommunication items. Computer resources can include processor and memoryresources such as: digital signal processors, microprocessors,multi-core processors, etc. and memory components such as magnetic,optical, and/or other storage devices, smart memory, flash memory, etc.Communication components can be used to communicate computer-readableinformation as part of transmitting, receiving, and/or renderingelectronic communication items using a communication network ornetworks, such as the Internet for example. Other embodiments andconfigurations are included.

Referring now to FIG. 7, the following provides a brief, generaldescription of a suitable computing environment in which embodiments beimplemented. While described in the general context of program modulesthat execute in conjunction with program modules that run on anoperating system on a personal computer, those skilled in the art willrecognize that the invention may also be implemented in combination withother types of computer systems and program modules.

Generally, program modules include routines, programs, components, datastructures, and other types of structures that perform particular tasksor implement particular abstract data types. Moreover, those skilled inthe art will appreciate that the invention may be practiced with othercomputer system configurations, including hand-held devices,multiprocessor systems, microprocessor-based or programmable consumerelectronics, minicomputers, mainframe computers, and the like. Theinvention may also be practiced in distributed computing environmentswhere tasks are performed by remote processing devices that are linkedthrough a communications network. In a distributed computingenvironment, program modules may be located in both local and remotememory storage devices.

As shown in FIG. 7, computer 2 comprises a general purpose server,desktop, laptop, handheld, or other type of computer capable ofexecuting one or more application programs including an emailapplication or other application that includes email functionality. Thecomputer 2 includes at least one central processing unit 8 (“CPU”), asystem memory 12, including a random access memory 18 (“RAM”) and aread-only memory (“ROM”) 20, and a system bus 10 that couples the memoryto the CPU 8. A basic input/output system containing the basic routinesthat help to transfer information between elements within the computer,such as during startup, is stored in the ROM 20. The computer 2 furtherincludes a mass storage device 14 for storing an operating system 24,application programs, and other program modules/resources 26.

The mass storage device 14 is connected to the CPU 8 through a massstorage controller (not shown) connected to the bus 10. The mass storagedevice 14 and its associated computer-readable media providenon-volatile storage for the computer 2. Although the description ofcomputer-readable media contained herein refers to a mass storagedevice, such as a hard disk or CD-ROM drive, it should be appreciated bythose skilled in the art that computer-readable media can be anyavailable media that can be accessed or utilized by the computer 2.

According to various embodiments, the computer 2 may operate in anetworked environment using logical connections to remote computersthrough a network 4, such as a local network, the Internet, etc. forexample. The computer 2 may connect to the network 4 through a networkinterface unit 16 connected to the bus 10. It should be appreciated thatthe network interface unit 16 may also be utilized to connect to othertypes of networks and remote computing systems. The computer 2 may alsoinclude an input/output controller 22 for receiving and processing inputfrom a number of other devices, including a keyboard, mouse, etc. (notshown). Similarly, an input/output controller 22 may provide output to adisplay screen, a printer, or other type of output device.

As mentioned briefly above, a number of program modules and data filesmay be stored in the mass storage device 14 and RAM 18 of the computer2, including an operating system 24 suitable for controlling theoperation of a networked personal computer, such as the WINDOWSoperating systems from MICROSOFT CORPORATION of Redmond, Wash. The massstorage device 14 and RAM 18 may also store one or more program modules.In particular, the mass storage device 14 and the RAM 18 may storeapplication programs, such as word processing, spreadsheet, drawing,e-mail, and other applications and/or program modules, etc.

FIG. 8 illustrates one embodiment of the architecture of a systemimplementing partitioning features to source outbound emails. Content,including partitioning and addressing information may be stored indifferent communication channels or storage types. For example, variousinformation may be stored using a directory service 822, a web portal824, a mailbox service 826, an instant messaging store 828, and/or asocial networking site 830. A server 820 may provide variousinfrastructure distribution features to customer. As one example, theserver 820 may provide rules that are used to distribute outbound emailusing a number of datacenter partitions over network 815, such as theInternet or other network(s) for example. By way of example, the clientcomputing device may be implemented as a general computing device 802and embodied in a personal computer, a tablet computing device 804,and/or a mobile computing device 806 (e.g., a smart phone). Any of theseclients may use content from the store 816.

Embodiments of the invention, for example, are described above withreference to block diagrams and/or operational illustrations of methods,systems, and computer program products. The functions/acts noted in theblocks may occur out of the order as shown in any flowchart. Forexample, two blocks shown in succession may in fact be executedsubstantially concurrently or the blocks may sometimes be executed inthe reverse order, depending upon the functionality/acts involved.

The description and illustration of one or more embodiments provided inthis application are not intended to limit or restrict the scope of theinvention as claimed in any way. The embodiments, examples, and detailsprovided in this application are considered sufficient to conveypossession and enable others to make and use the best mode of claimedinvention. The claimed invention should not be construed as beinglimited to any embodiment, example, or detail provided in thisapplication. Regardless of whether shown and described in combination orseparately, the various features (both structural and methodological)are intended to be selectively included or omitted to produce anembodiment with a particular set of features. Having been provided withthe description and illustration of the present application, one skilledin the art may envision variations, modifications, and alternateembodiments falling within the spirit of the broader aspects of thegeneral inventive concept embodied in this application that do notdepart from the broader scope of the claimed invention.

It should be appreciated that various embodiments can be implemented (1)as a sequence of computer implemented acts or program modules running ona computing system and/or (2) as interconnected machine logic circuitsor circuit modules within the computing system. The implementation is amatter of choice dependent on the performance requirements of thecomputing system implementing the invention. Accordingly, logicaloperations including related algorithms can be referred to variously asoperations, structural devices, acts or modules. It will be recognizedby one skilled in the art that these operations, structural devices,acts and modules may be implemented in software, firmware, specialpurpose digital logic, and any combination thereof without deviatingfrom the spirit and scope of the present invention as recited within theclaims set forth herein.

Although the invention has been described in connection with variousexemplary embodiments, those of ordinary skill in the art willunderstand that many modifications can be made thereto within the scopeof the claims that follow. Accordingly, it is not intended that thescope of the invention in any way be limited by the above description,but instead be determined entirely by reference to the claims thatfollow.

What is claimed is:
 1. A system comprising: at least one server computerconfigured to: use a partition associated with a plurality of InternetProtocol (IP) addresses used for outbound email communications; if thepartition is blocked from sending outbound email communications generaterules to: divide the partition into a plurality of sub-partitions;assign individual IP addresses to each of the plurality ofsub-partitions; monitor the plurality of sub-partitions to detect when asub-partition is blocked from sending outbound email communications andcontinue to divide any blocked sub-partition until there are no blockedsub-partitions or a single customer exists in a blocked sub-partition;and recombine any unblocked sub-partitions into a new partition andsource reputable IP addresses from other unblocked partitions forsending outbound email communications.
 2. The system of claim 1, whereinthe server computer is further configured to assign new IP addresses forthe new partition.
 3. The system of claim 1, wherein the server computeris further configured to receive IP address reputation information froma reputation component as part of determining a blocked status of apartition or a sub-partition.
 4. The system of claim 1, wherein theserver computer is further configured to monitor reputations of blockedsub-partitions for a designated amount of time before allowing outboundemail communications from the blocked sub-partitions.
 5. The system ofclaim 1, wherein the server computer is further configured toautomatically mitigate outbound customer email from being blocked. 6.The system of claim 1, wherein the server computer is further configuredto generate rules that assign known reputable IP addresses from one ormore different partitions for each of the plurality of sub-partitions.7. The system of claim 1, wherein the server computer is furtherconfigured to generate rules that randomly assign one or more customersassociated with the partition to each of the plurality of sub-partitionsas part of isolating spamming customers.
 8. The system of claim 1,wherein the server computer is further configured to monitor the newpartition to determine whether the new partition is blocked.
 9. Thesystem of claim 1, wherein the server computer is further configured toreceive reputation information associated with each IP address as partof identifying spamming customers.
 10. The system of claim 1, whereinthe server computer is further configured to isolate spamming customersto prevent sending of outbound email from the spamming customers.
 11. Amethod comprising: using a partition that includes a plurality of IPaddresses used for outbound email communications for a group ofcustomers; determining if the partition is blocked from sending outboundemail communications; if the partition is blocked from sending outboundemail communications: dividing the blocked partition into a plurality ofsub-partitions and randomly assigning one or more customers of the groupof customers to each sub-partition; sourcing reputable IP addresses toeach of the plurality of sub-partitions; detecting when a sub-partitionis blocked from sending outbound email communications and continue todivide any blocked sub-partition until there are no blockedsub-partitions or a single customer exists in a blocked sub-partition;and recombining any unblocked sub-partitions.
 12. The method of claim11, further comprising recombining unblocked sub-partitions into a newpartition and sourcing good IP addresses from other unblockedpartitions.
 13. The method of claim 11, further comprising monitoringthe plurality of sub-partitions for a designated amount of time toidentify further spamming.
 14. The method of claim 11, furthercomprising: if one or more first sub-partitions are blocked from sendingoutbound email communications for more than one customer of the group ofcustomers: dividing each of the first sub-partitions that are blockedinto a plurality of second sub-partitions and assigning one or morecustomers of the group of customers in each of the secondsub-partitions; assigning a good IP address to each of the plurality ofsecond sub-partitions; monitoring the plurality of second sub-partitionsto identify if one or more of the second sub-partitions are blocked fromsending outbound email communications; and identifying a customer of oneof the second sub-partitions that are being blocked from sendingoutbound email communications.
 15. The method of claim 11, furthercomprising contacting a spamming customer to inform of a blocked status.16. The method of claim 11, further comprising allowing one or morecustomers not identified as spammers to send outbound emailcommunications.
 17. Computer storage which stores executableinstructions that operate to: receive blocked partition informationassociated with a plurality of IP addresses; divide a blocked partitioninto a plurality of first sub-partitions; assign a reputable IP addressfor each of the plurality of first sub-partitions; monitor a status ofeach of the plurality of first sub-partitions to identify if a firstsub-partition is blocked from sending outbound email communications; ifa first sub-partition is blocked and includes more than one customer,then: divide the first sub-partition that is blocked into a plurality ofsecond sub-partitions; assign new IP addresses for each of the pluralityof second sub-partitions; monitor a status of each of the plurality ofsecond sub-partitions to identify if a second sub-partition is blockedfrom sending outbound email communications; if a blocked secondsub-partition exists and includes one customer then identify the onecustomer as a spamming source; and resolve the blocked partition byrecombining unblocked ones of the first and second sub-partitions into anew partition.
 18. The computer storage of claim 17, wherein theinstructions operate further to contact a customer of a blockedsub-partition to inform of a spamming issue.
 19. The computer storage ofclaim 17, wherein the instructions operate further to automaticallymitigate outbound customer email from being blocked.
 20. The computerstorage of claim 17, wherein the instructions operate further torandomly assign one or more customers associated with the partition toeach of the plurality of sub-partitions as part of isolating spammingcustomers while reducing disruption of other customer email.